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IDENTIFICATION OF MISSING PROPERTIES IN MODEL CHECKING 

FIELD OF THE INVENTION 

The present invention relates generally to design 
automation and verification, and specifically to hardware 
5 verification of integrated circuit design. 

BACKGROUND OF THE INVENTION 

Hardware verification is currently the bottleneck 
and the most expensive task in the design of a 
semiconductor integrated circuit. Model checking is a 

10 method of formal verification that is gaining in 
popularity for this purpose. The method is described 
generally by Clarke et al . in Model Checking (MIT Press, 
1999), which is incorporated herein by reference. 

To perform model checking of the design of a device, 

15 a verification engineer reads the definition and 
functional specifications of the device and then, based 
on this information, writes a set of properties {§} (also 
known as a specification) that the design is expected to 
fulfill. The properties are written in a suitable 

20 specification language for expressing temporal logic 
relationships between the inputs and outputs of the 
device. Such languages are commonly based on Computation 
Tree Logic (CTL) . A hardware model M (also known as an 
implementation) of the design, which is typically written 

25 in a hardware description language, such as VHDL or 
Verilog, is then tested to ascertain that the model 
satisfies all of the properties in the set, i.e., that 

Mf=(|), under all possible input sequences. Such testing is 
a form of reachability analysis. 
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Model checking is preferably carried out 
automatically by a symbolic model checking program, such 
as SMV, as described, for example, by McMillan in 
Symbolic Model Checking (Kluwer Academic Publishers, 
5 1993), which is incorporated herein by reference. A 
number of practical model checking tools are available, 
among them RuleBase, developed by IBM, which is described 
by Beer et al . in "RuleBase: an Industry-Oriented Formal 
Verification Tool," in Proceedings of the Design 

10 Automation Conference DAC 96 (Las Vegas, Nevada, 1996), 
which is incorporated herein by reference. 

As hardware devices grow larger and more complex, 
the set of properties needed for model checking becomes 
unwieldy. The verification engineer has no systematic 

15 way to be sure of whether the property set is complete, 
in the sense of covering all possible states and 
transitions that may occur in the model. If the property 
set is incomplete, a bug in the design may go undetected. 
The engineer may therefore continue to add more and more 

20 properties indefinitely, never knowing whether the set is 
yet sufficient or not. 

Coverage metrics have been applied in various fields 
of simulation-based verification in order to measure and 
improve the completeness with which a given simulation 

25 tool represents the actual behavior of a target system. 
An application of such a metric to model checking is 
described by Hoskote et al . in "Coverage Estimation for 
Symbolic Model Checking, " in Proceedings of the Design 
Automation Conference DAC 99 (IEEE Computer Society 

30 Press, 1999), which is incorporated herein by reference. 
The authors present a method for estimating whether a set 
of properties is sufficient to cover all possible states 
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of a model. They note, however, that their method cannot 
point out functionality that may be missing in the model, 
nor can it ensure that all possible paths between the 
states are covered. They indicate that "path coverage 
would be an ideal coverage metric because it can provide 
coverage of actual executions of the circuit over time." 
The authors consider that by comparison with state 
coverage, "path coverage is a much more intractable 
problem. " 
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SUMMARY OF THE INVENTION 

It is an object of some aspects of the present 
invention to provide improved methods and systems for 
design verification . 
5 It is a further object of some aspects of the 

present invention to provide improved methods and metrics 
for analyzing the coverage of a set of properties used in 
model checking, and in particular to provide methods for 
analyzing path coverage. 

10 In preferred embodiments of the present invention, a 

specification, consisting of properties, is generated to 
verify a given implementation model of a target system, 
and a tableau is constructed corresponding to the 
properties. Such a tableau is defined as a finite state 

15 machine that satisfies all of the properties in the 
specification. The states and transitions of the tableau 
are compared to those of the model to ascertain that 
there is full correspondence between the possible states 
and transitions of the model and those of the tableau. 

20 To the extent that there are no substantive differences, 
it is concluded that the set of properties fully 
specifies the model. 

In some preferred embodiments of the present 
invention, the tableau is compared to the model by 

25 inputting the tableau to a model checking program, such 
as SMV, along with the given model. If for every 
possible combination of inputs, the tableau gives exactly 
the same set of outputs as the model, then the 
specification of the properties is complete. On the 

30 other hand, if a difference occurs for some input, it 
means that the specified properties are insufficient 
and/or that there is an error in the model. The fact 
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that the outputs of the tableau exactly correspond to 
those of the model indicates that for every reachable 
state of the tableau, there is a corresponding state in 
the model, and for every possible transition in the 
5 tableau, there is a corresponding transition between the 
corresponding states in the model. It also means that 
there are no excess transitions or spurious initial 
conditions in the tableau that would allow transitions to 
be made among states in a way that would not be possible 
10 in the model. 
^ The methods of the present invention thus inform the 

m user when the specification of properties is complete or, 

'7Z alternatively, provide an indication as to where there 

hi may be flaws in the correspondence between the 

~j| 15 specification and the model. Such flaws typically point 
either to a state or transition in the tableau that is 
not implemented in the model, thus warning either that 
HJ the specification does not adequately constrain the 

q model, or that the model has failed to implement a 

Q 20 meaningful state or transition of the target system. By 
comparison, the method of Hoskote et al. is limited to 
finding an estimation of state coverage, and not 
transitions or exact state coverage, and therefore cannot 
provide a conclusive indication that the set of 
25 properties is complete. 

There is therefore provided, in accordance with a 
preferred embodiment of the present invention, a method 
for verification, including: 

providing an implementation model, which defines 
30 model states of a target system and model transitions 
between the model states; 
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providing a specification of the target system, 
including properties that the system is expected to obey; 

creating a tableau from the specification, the 
tableau defining tableau states with tableau transitions 
5 between the tableau states in accordance with the 
properties; and 

comparing the tableau transitions to the model 
transitions to determine whether a discrepancy exists 
therebetween . 

10 In a preferred embodiment, creating the tableau 

includes defining a finite state machine using a hardware 
description language, wherein the implementation model 
has model inputs and outputs, and wherein defining the 
finite state machine includes describing a virtual device 

15 having inputs and outputs corresponding to the model 
inputs and outputs of the implementation model. 
Preferably, comparing the transitions includes performing 
a reachability analysis using both the implementation 
model and the tableau while providing identical inputs to 

20 the inputs of both the implementation model and the 
tableau, and verifying that the outputs are always 
identical. Most preferably, performing the reachability 
analysis includes comparing the model and the tableau 
automatically using a model checker and providing 

25 evidence of a tableau transition that is not implemented 
in the model. 

In another preferred embodiment, comparing the 
tableau transitions includes associating model 
transitions with corresponding tableau transitions, 
30 wherein associating the transitions includes defining a 
reachable simulation preorder relating the model and the 
tableau. Preferably, associating the transitions 
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includes finding a tableau transition that is not 
implemented in the model and, most preferably, deriving 
an indication, based on the unimplemented transition, 
that the specification is not complete with respect to 
5 the model. Alternatively or additionally, finding the 
tableau transition that is not implemented in the model 
includes deriving an indication, based on the 
unimplemented transition, that a transition of the target 
system is missing in the model. 

10 Preferably, the method includes associating model 

states with corresponding tableau states. Further 
preferably, associating the model states with the 
corresponding tableau states includes finding a tableau 
state that is not implemented in the model and deriving 

15 an indication, based on the unimplemented state, that the 
specification is not complete with respect to the model. 
Alternatively or additionally, finding the tableau state 
that is not implemented in the model includes deriving an 
indication, based on the unimplemented state, that a 

20 state of the target system is missing in the model. 
Further alternatively or additionally, associating the 
model states with the corresponding tableau states 
includes finding multiple model states corresponding to a 
single tableau state. 

25 Preferably, creating the tableau includes creating a 

reduced tableau from which one or more redundant states 
have been eliminated. 

Further preferably, comparing the transitions 
includes verifying that the specification is a complete 

30 and correct description of the implementation model 
responsive to the comparison. 
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There is also provided, in accordance with a 
preferred embodiment of the present invention, a 
verification processor, which is configured to receive an 
implementation model, defining model states of a target 
5 system and model transitions between the model states, 
and to receive a specification of the target system, 
including properties that the system is expected to obey, 
and which is operative to create a tableau from the 
specification, the tableau defining tableau states with 
10 tableau transitions between the tableau states in 
O accordance with the properties, and to compare the 

■E tableau transitions to the model transitions to determine 

y = 

Q whether a discrepancy exists therebetween. Preferably, 

i'A the processor is operative to perform model checking of 

W 15 the implementation model, 

J There is further provided, in accordance with a 

y preferred embodiment of the present invention, a computer 

Hi software product for verification of a specification of a 

J? target system, which specification includes properties 

q 20 that the system is expected to obey, by comparison with 
an implementation model, which defines model states of 
the target system and model transitions between the model 
states, the product including a computer-readable medium 
having computer program instructions recorded therein, 
25 which instructions, when read by a computer, cause the 
computer to create a tableau from the specification, the 
tableau defining tableau states with tableau transitions 
between the tableau states in accordance with the 
properties, and to compare the tableau transitions to the 
30 model transitions to determine whether a discrepancy 
exists therebetween. 
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Preferably, the program instructions cause the 
computer to compare the tableau with the model by running 
a reachability analysis using both the implementation 
model and the tableau while providing identical inputs to 
5 the inputs of both the implementation model and the 
tableau, and verifying that the outputs are always 
identical. Most preferably, the reachability analysis is 
performed using an automatic model checker, and the 
instructions cause the computer to verify that the 

10 specification is a complete description of the 
implementation model. 

There is additionally provided, in accordance with a 
preferred embodiment of the present invention, a method 
for verification, including: 

15 providing an implementation model, which defines 

model states of a target system and model transitions 
between the model states; 

providing a specification of the target system, 
including properties that the system is expected to obey; 

20 creating a tableau from the specification, the 

tableau defining tableau states with tableau transitions 
between the tableau states in accordance with the 
properties; and 

comparing the model and the tableau by inputting the 

25 model and the tableau to an automatic model checking 
program. 

Preferably, comparing the model and the tableau 
includes providing evidence of a transition or state in 
the tableau that is not implemented in the model, most 
30 preferably in the form of a counter-example indicative of 
the unimplemented transition or state. 
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There is moreover provided, in accordance with a 
preferred embodiment of the present invention, model 
checking apparatus, which is configured to receive an 
implementation model, defining model states of a target 
5 system and model transitions between the model states, 
and to receive a specification of the target system, 
including properties that the system is expected to obey, 
and which is operative to create a tableau from the 
specification, the tableau defining tableau states with 
10 tableau transitions between the tableau states in 
Q accordance with the properties, and to compare the 

gp. tableau to the model by inputting the model and the 

jy tableau to an automatic model checking program, 

hj There is furthermore provided, in accordance with a 

^ 15 preferred embodiment of the present invention, a computer 
s software product for verification of a specification of a 

Jjf target system, which specification includes properties 

Rj that the system is expected to obey, by comparison with 

J: an implementation model, which defines model states of 

□ 20 the target system and model transitions between the model 
states, the product including a computer-readable medium 
having computer program instructions recorded therein, 
which instructions, when read by a computer, cause the 
computer to create a tableau from the specification, the 
25 tableau defining tableau states with tableau transitions 
between the tableau states in accordance with the 
properties, and to compare the tableau to the model by 
inputting the model and the tableau to an automatic model 
checking program. 
30 The present invention will be more fully understood 

from the following detailed description of the preferred 
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embodiments thereof, taken together with the drawings in 
which : 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a schematic pictorial illustration showing 
5 a system for model checking, in accordance with a 
preferred embodiment of the present invention; 

Fig. 2 is a block diagram that schematically 
illustrates an implementation model used in model 
checking and a corresponding tableau of properties, in 
10 accordance with a preferred embodiment of the present 
invention; 

Fig. 3 is a state diagram that schematically 
illustrates a finite state machine corresponding to the 
tableau of Fig. 2, in accordance with a preferred 
15 embodiment of the present invention; 

Fig. 4 is a flow chart that schematically 
illustrates a method for verifying a set of properties 
generated for the purpose of model checking, in 
accordance with a preferred embodiment of the present 
2 0 invention; and 

Fig. 5 is a flow chart that schematically 
illustrates another method for verifying a set of 
properties generated for the purpose of model checking, 
in accordance with a preferred embodiment of the present 
25 invention. 
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DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

Fig. 1 is a schematic pictorial illustration of a 
system 20 for model checking, in accordance with a 
preferred embodiment of the present invention. System 20 
5 typically comprises a verification processor 22, 
typically a general-purpose computer workstation running 
suitable model checking software, such as the 
above-mentioned IBM RuleBase, under the control of a 
verification engineer 24. The system receives a hardware 

10 implementation model 26 of a target system or device 30 
in development • Engineer 24 prepares a specification of 
properties 28, for use in model checking of model 26. 
The completeness and correctness of the specification are 
verified by system 20 using methods described in detail 

15 hereinbelow. 

Reference is now made to Fig. 2, which is a block 
diagram representing a model of a target hardware device 
40, in this case a simple two-port synchronous arbiter, 
used hereinbelow to exemplify a method for verifying 

20 property set 28, in accordance with a preferred 
embodiment of the present invention. Device 4 0 has two 
request inputs 42, labeled REQ0 and REQ1, and two 
acknowledge outputs 44, ACK0 and ACK1 . The assertion of 
ACKi is a response to the assertion of REQi . Initially, 

25 both outputs of the arbiter are inactive. At any time, 
at most one acknowledge output may be active. The 
arbiter grants one of the active requests in the next 
cycle, and uses a round robin algorithm in case both 
request inputs are active. In the case of simultaneous 

30 assertion (i.e. both requests are asserted and were not 
asserted in the previous cycle), REQ0 has priority in the 
first simultaneous assertion occurrence. In any 
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subsequent occurrence of simultaneous assertion the 
priority rotates with respect to the previous occurrence. 

An implementation of device 4 0 in the SMV language 
is presented below in Table I: 



10 



15 



20 



25 



1) var 

2) reqO; reql; 

3) assign 

4) init(ackO) 

5) init (ackl ) 

6) init ( robin) 

7) next(ackO) 



8) 



14) 



30 20) 



! reqO 



9) !reql 

10) !ack0&!ackl 

11) 1 

12) esac; 

13) next (ackl) 
! reql 



TABLE 1 

ackO; ackl; robin : boolean; 

= 0; 
= 0; 
=0; 

= case 

: 0; - No request results no 

ack 

: 1; - A single request 

:! robin; - Simultaneous requests 

assertions 
:!ack0; - Both requesting, toggle 

ack 



= case 



15) IreqO 

16) !ack0&!ackl 

17) 1 

18) esac; 

19) next (robin) 



0; - No request results no 

ack 

1; - A single request 

robin; - Simultaneous assertion 
lackl; - Both requesting, toggle 
ack 



=if req0&reql& ! ack0& ! ackl then ! robin 
else robin endif; - Two 

simultaneous request 
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assertions 

From the functional specification of arbiter 40 
given above, the following temporal formulas are derived 
5 that describe the properties of the device: 

1. The initial state is -.ackO a -iackl. 

2. At all times, mutual exclusion holds, i.e., -lackO v 
-iackl (property <|>1). 

3. At all times one of the following properties should 
10 hold: 

a) No requests followed by no acknowledge (property 
♦ 2) . 

b) A single request (when the other request is not 
active) is served in the following cycle (properties 

15 <|>3 and <|)4 ) . 

c) A request active while the alternate channel is 
being served will be served in the following cycle 
(properties <|)5 and §6) . 

d) When a cycle with no active request is followed by 
20 a cycle with two active requests, the result will be 

as follows - 

• The first such occurrence will result in 
acknowledgment to channel 0 (<|>0). 

• Each subsequent occurrence will result in 
25 acknowledgment of the channel that was not 

acknowledged in the previous occurrence (<|>7 and 
4>8) . 

The behavior of the arbiter under these conditions 
(no active request followed by two active requests) 
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is governed by the non-observable variable "robin," 
as defined in Table I. 
The above formulas correspond to the properties §0 , 
§1, <(>8 listed symbolically below in Table II, which are 
5 a complete specification of arbiter 40 written in the 
form of a safety formula \\f in Universal Computation Tree 
Logic (known as ACTL). ACTL is a branching-time temporal 
logic. It is described in detail by Grumberg et al. in 
"Model Checking and Modular Verification," in ACM 
10 Transactions on Programming Languages and Systems 16(3) 
(1994), pp. 843-871, which is incorporated herein by 
reference. As the variable "robin" is not observable, it 
does not appear explicitly in the properties in Table II. 

TABLE II 

15 \\J = — iack0 a — iacklA 

A[ (— .reqO v -.reql v ackO v ackl)W 

(reqO a reql a — >ack0 a -iackl a AXackO)]A - (j) 0 

AG ( 

(— .ackO v — iackl) a - <t>i 

20 (-.reqO a -.reql -> AX(-.ackO A-iackl) ) a - (t> 2 

(reqO a -ireql — » AX ackO) a - §3 

(-ireqO a reql — » AX ackl) a - <t>4 

(reql a ackO — > AX ackl) a - <t> 5 

(reqO a ackl — > AX ackO) a - <f>6 

25 (reqO a reql A-.ack0 A-,ackl AX(ackO 

A[ (-nreqO v— ireql v ackO v ackl)W 

(reqO a reql a— iackO A-iackl a AXackl)]))A 
(reqO a reql A-iackO A-iackl — » AX (ackl -> 
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A[ (-ireqO v-ireql v ackO v ackl)W 



(reqO a reql a— iackO A^ackl a AXackO) ] ) ) ) -§3 



This representation uses the temporal operators X ("next 
5 state"), W ("weak until," i.e., remains true until), and 
G ("globally"), along with the quantifier A ("for all 
paths") . It is noted that AG<f> = A[(J)Wfalse] . 

Fig. 3 is a state diagram that schematically 
illustrates a tableau 50, or state machine, corresponding 

10 to the properties of the safety formula in Table II, in 
accordance with a preferred embodiment of the present 
invention. The tableau . is preferably a "reduced 

tableau," as defined in Appendix A, which is most 
preferably constructed automatically, using a computer 

15 program that receives the properties as its input and 
implements the tableau construction algorithm listed in 
the appendix. The tableau is used, as described further 
hereinbelow, to verify that the properties completely 
cover the states and transitions of the device model 

20 defined in Table I. 

Tableau 50 comprises six state groups 52, 54, 56, 
58, 60 and 62. Each of the groups includes a number of 
states 64 that correspond to a particular output 
condition of device 40, i.e., in groups 52 and 60, ackO 

25 is asserted; in groups 54 and 62, ackl is asserted; and 
in groups 56 and 58, neither output is asserted (IackO 
!ackl). In state groups 52, 54 and 56, the 

non-observable variable robin = 0, whereas in groups 58, 
60 and 62, robin = 1. As indicated by an arrow 66, 

30 operation of device 40 begins in group 56, with IackO, 
! ackl and robin = 0. Transitions from one state to 
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another depend on the choice of inputs, which are marked 
in each state 64. Thus, for example, when reql is 
asserted in state group 52, a transition is invoked to 
group 54, in which ackl is asserted. 
5 Tableau 50 is a sort of virtual device, 

corresponding to actual target device 40. Appendix B 
accordingly contains source code in VHDL representing a 
tableau similar to tableau 50 as a device model. In 
preferred embodiments of the present invention, this 
10 virtual device is tested to determine whether its states 
and transitions correspond exactly to those of the actual 
01 device, or equivalently whether the behavior of the 

fi virtual device under all possible combinations of input 

•yj conditions is identical to that of the model of the 

]2 15 actual device. If differences are found, they are then 
^ indicative either that the tableau (and hence the 

specified properties) are incomplete or that the model 
fu itself is incomplete. Methods and criteria for testing 

H tableau 50 are described further hereinbelow. 

3 20 Fig. 4 is a flow chart that schematically 

illustrates a method for verifying a specification of 
model checking properties by comparing tableau 50 with 
device 40, in accordance with a preferred embodiment of 
the present invention. The method begins with 

25 preparation of the specification, such as the formula \|/ 
listed in Table II, and checking the device model M to 
ensure that the model satisfies the specification, i.e., 
that Mt=\\j . The specification is then used to construct 
the tableau. As shown in Fig. 2, tableau 50 as a virtual 

30 device model has virtual inputs 72 and outputs 74, 
corresponding respectively to inputs 42 and outputs 44 of 
implementation model 40 of the target device. For the 
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purpose of testing the tableau against the implementation 
model, the tableau inputs are labeled REQ0_SPEC and 
REQ1_SPEC, and the tableau outputs are labeled similarly, 
ACK0_SPEC and ACK1_SPEC. 
5 These input and output labels are inserted in a 

representation of the tableau, preferably in the form of 
suitable program code, as listed in Appendix B. IBM 
RuleBase, as described hereinabove, is capable of 
translating the VHDL code in Appendix B into the SMV 

10 language used by model checkers. In the example shown in 
Appendix B, the model of device 40 is simplified, 
relative to the definition in Tables I and II, in that 
the non-observable variable "robin" is not used. 
Instead, ackO always receives priority when a state in 

15 which there is no active request is followed by two 
active requests. 

In order to test the tableau against the device 
model, a new model is created, combining the original 
implementation model and the virtual device model of the 

20 tableau. Inputs 72 of tableau 50 are tied to the 
corresponding inputs 42 of implementation model 40, so 
that the implementation model and the tableau model will 
receive the same input signals. The new, combined model 
is then input to an automatic model checking program, 

25 such as SMV. The model checker is asked to verify that 
the following properties regarding the combined model 
outputs are always true of the combined model: 

ACK0==ACK0_SPEC 
30 ACK1==ACK1 SPEC 
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Alternatively, in certain cases, the two outputs may be 
checked separately, rather than in a single pass of the 
model checker, using separate tableaux corresponding to 
subsets of the specification properties that influence 
5 the particular outputs. 

If the above-mentioned properties of the combined 
model outputs are confirmed, tableau 50 is assured of 
representing a complete and correct specification of 
device 40. If the tableau specification is not 

10 sufficiently detailed, then the tableau outputs ACKi_SPEC 
£j will not be as constrained as the model outputs ACKi, and 

(Tj there will be some combination of inputs under which 

hi ACKi_SPEC will have two possible values when ACKi can 

y s 

yj have only one. This outcome will generally lead engineer 

15 24 to conclude that an additional constraint is required, 
s i.e., that a further property is needed in the 

E specification. Typically, a suitable property is added 

RJ and the specification is re-checked, repeating the steps 

P described above. If now ACKi==ACKi_SPEC, then the 

£3 20 specification can be considered complete and correct. 

Alternatively, it may turn out that evaluation of the 
model and specification in this manner will lead engineer 
24 to conclude that there is an error in the 
implementation model, such as a missing state or 
25 transition, which causes the outputs of the model and the 
tableau differ. It is a further advantage of automatic 
model checking programs that they provide evidence of 
such errors, in the form of "counter-examples," that 
assist the engineer in identifying and correcting the 
30 error. 

Fig. 5 is a flow chart that schematically 
illustrates another method for verifying a model checking 
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specification, in accordance with a preferred embodiment 
of the present invention. The method begins , like the 
method of Fig. 4, with preparation of a specification of 
model properties and model checking to determine that the 
model satisfies the specification. The specification is 
then used to create a corresponding tableau, which is 
evaluated against the device implementation model. The 
method of Fig . 5 differs from the method of Fig . 4 in the 
manner in which the tableau is evaluated, as described 
hereinbelow. Whereas the method of Fig. 4 is useful 
primarily in checking deterministic models, the method of 
Fig. 5 can be used for substantially any model, including 
non-deterministic models . 

In order to evaluate the tableau against the model, 
a simulation preorder, SIM, is calculated for the model 
and the tableau. SIM is a relation between the model M 
and the tableau T (SIM £ M x T) containing pairs of 
states (si,s t ) in M and T, respectively. SIM satisfies 
the following requirements: 

o For every initial state s 0 i of M, there is an 

initial state s 0 t of T, such that (soi/Sot) belongs to 

SIM. 

o For every pair of states (Si,s t ) in SIM, state si 
is characterized by the same set of atomic 
propositions as s t (i.e., the same values of the 
variables ACKi and REQi in the example of device 
40) . 

© For every state-to-state transition from state Si, 
there is a corresponding transition for state s t 
(although not necessarily a one-to-one 

correspondence) . 
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Formally, an algorithm for the computation of SIM is 
presented in Table III, below, in pseudocode form. Here 
Si(Si) is the set of all values of states in M, and S t (s t ) 
is the set of all values of states in T (<(>) . Ri(Si,Sj/) is 
5 the transition relation of M, and R t (s t ,St') is the 
transition relation of T ((()). Li(si) is a labeling 
function that computes the values of atomic propositions, 
AP, of a state si of M, while L t (s t ) is a labeling 
function that computes the values of atomic propositions, 
10 AP, of a state s t of T (<|>) . 

TABLE III 

Init : 

SIM Q (s ir s t ) := {(s if s t ) e S ± x S t \ L ± (s ± ) = L t (s t )}; j := 0 
Repeat { 

SIMj + i {(s if st) I 

Vs^ (r^, 3st' (i? t (s t , ^0 a SIMjisi* , s t 0)) a SIMj(s if s t ) 

} until SIMj^SIMj-2 
SIM:=SIMj 

20 Preferably, for efficient computation, Si, St, R±, Rt, 

Li, L t and SIMj are all represented as Ordered Binary 
Decision Diagrams (OBDDs) . This type of representation, 
using connected, directed, acyclic graphs, is known in 
the art of model checking. The use of OBDDs in this 

25 regard is described, for example, by McMillan in Symbolic 
Model Checking (Kluwer Academic Press, Norwell, 
Massachusetts, 1993), which is incorporated herein by 
reference . 
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All of the operations shown in Table III are well 
known for OBDDs, except for the computation of SIMj+i. To 
state this computation in OBDD terms, we define the 
following OBDD operations: 

5 

compose(y, u) = 3x(a(x, y) a b(x, u)) 
compose _ odd(y, u) = 3x(a(y, x) a b(u, x) 

These two operations operate on two OBDDs, a and b, over 
10 three vectors of n variables, x, y and u. In these 
terms, the computation of SIMj+i is given by: 

SIMj +1 (s i , s t ) :- -^compose _ odd{R 1 (s if s ± '), 

-^compose _ odd{R t {s t , s t f ), SIMj(s ± % , s t f )) ) a SIMj(s lr s t ) 

15 Based on the simulation preorder SIM, a reachable 

simulation preorder for M and T, ReachSIM, is determined. 
T may contain paths by which a state s is reached from an 
initial state, which do not have corresponding 
permissible paths in M. ReachSIM c SIM contains only 

20 pairs of states (si,s t ) characterized in that states s± 
and s t are reached by corresponding paths Tti and 7i t from 
corresponding initial states. A path n± = s 0 ±, sn, Si, 
and a path n t — s 0 t/ Sn, s t are considered to 

correspond if every pair of states (Si,s t ) along the paths 

25 belongs to SIM. Details of the computation of ReachSIM 
are presented in Table IV: 

TABLE IV 

Init : 
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ReachSIM Q := (s 0i x 



5 0t ) n SIM; j := 0 



iRepea t { 



Reach SIM 



:= {(s^ , s t ') | 3s_i, s t (ReachSIMj(i 



[s if S t ) A ^(Si, Si') A 



5 




I : I 
: s 

yy 



15 



20 



25 



2? t (s t , s t ') a SIm(s ± * , s t ! )) } u ReachSIMj 
J := J + l 

} until ReachSIMj = ReachSIMj-x 
ReachSIM := ReachSIMj 

Here, too, if S±, S t , R±, R t , L if L t and ReachSIMj are all 
OBDDs, then all of the operations in Table IV are well 
known, except for the computation of ReachSIMj+i, which is 
given in OBDD terms by: 

ReachSIMj + 1 (s ± , s t ) := (compose(compose(ReachSIMj(s ir s t ) 
R±(s ± , s ± ')) , R t (s t , s t ')) a 5J^^(s i , , s t ')) v ReachSIMj^ , s t ') 

ReachSIM thus identifies a set of states in T having 
transitions that correspond to the actual transitions in 
M. There may yet be, however, states or transitions in T 
that do not have corresponding states or transitions in 
M, meaning that the specification does not constrain the 
implementation model tightly enough, so that one or more 
additional properties are needed. Such states and 

transitions are referred to herein as being 
"unimplemented. " There may likewise be states in T that 
correspond simultaneously to two or more states in M. 
Such discrepancies are detected using ReachSIM to 
evaluate the following criteria (preferably using OBDD 
operations), either serially or in parallel: 

• Unimplemented start states: 
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{s t e S 0t | e Soi^, s t ) g ReachSIM^ 

These are initial tableau states that have no 
corresponding initial states in the model (and 
therefore are absent from ReachSIM) . The existence 
5 of an unimplemented start state indicates either 

that the specification does not adequately constrain 
the start states, or that the model is lacking a 
required initial state, 
o Unimplemented states: 
10 {s t g S t I Vs i e S ± [(s ir s t ) £ ReachSIM^ 

The existence of a state anywhere in the tableau 
that is not included in ReachSIM indicates either 
that the specification is lacking in constraints or 
that a meaningful state of the device is not 
15 implemented in the model. 

o Unimplemented transitions: 
(s t , s t } ) e R t I 3s ie s ± * G S ie 

(s ± , s t ) g ReachSIM, (s if s t ') g ReachSIM, (s ir s^) € R±] } 
These are transitions between states of the tableau 
for which there is no corresponding transition in 

20 the model. The states belong to ReachSIM, so that 

they have corresponding states in the model, which 
are reached by corresponding paths. The existence 
of an unimplemented transition indicates either that 
the specification is not tight enough or that a 

25 required transition, between reachable 

implementation states, was not implemented in the 
model. Assuming Si, R±, R t and ReachSIM are all 
OBDDs, the set of unimplemented transitions can be 
represented by the following equation: 

30 
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nimplementedTransition{s t , s t ! ) := composei 

compose^R^Sj^, s^), ReachSIM(s if s t )), ReachSIM{s± , s t ! )) a R t {s t , s t ! ) 

© Many-to-one mapping: 
s t g S t | 3s u , s 2i e S ± 

i s l±' s t) e ReachSIM, (s 2 ± f s t ) e ReachSIM, * S2±] 
In this case, there may be a tableau state to which 
5 multiple implementation states are mapped, i.e., a 

state s which is paired in ReachSIM with at least 
two different model states s±' and Sj'. The 
existence of a many-to-one state indicates either 
that the specification is not sufficiently detailed, 
10 or that the implementation contains redundancies. 

If ReachSIM and the model states are OBDDs, the set 
of many-to-one states can be represented by: 

ManyToOne(s t ) = 3vi(ReachSIM(si, s t ) a compose((s 1 ^ s 2 ) 
ReachSIM(s 2 , § t )) 

15 

If the first three of these four criteria return 
empty results, then T is a complete specification of M. 
Any dissimilarity between the tableau and the 
implementation will result in a non-empty result. 

20 Preferably, the tableau T that is used in this method is 
a reduced tableau, as defined in Appendix A, since 
traditional (non-reduced) tableaux typically contain 
redundancies, which are removed in the reduced tableau. 
If the first three of the criteria above hold (i.e., 

25 return empty results), T and M are bisimilar, and the 
fourth criterion is not necessary to establish the 
completeness of T. It may, however, indicate that there 
are redundancies in the implementation. 
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As noted hereinabove, verification of specification 
properties vis-a-vis the implementation model, using any 
of the methods described herein, is preferably carried 
out using software for this purpose running on processor 
5 22. Software for use in such verification is preferably 
supplied as component of a simulation and model checking 
software package. Alternatively, the software for 

tableau construction and verification is provided as an 
independent software package. In either case, the 

10 software may be conveyed to processor 22 in intangible 
form, over a network, for example, or on tangible media, 
such as CD-ROM. 

Although preferred embodiments are described 
hereinabove with reference to certain methods and 

15 languages used in model checking, it will be understood 
that the application of the present invention is not 
limited to any particular language or method of 
implementation. Those skilled in the art will appreciate 
that the principles of the present invention may 

20 similarly be used in other areas of verification, not 
only for electronic devices, but also in verification of 
other types of target systems, as well, for example, 
transportation systems or complex valve manifolds. It 
will thus be understood that the preferred embodiments 

25 described above are cited by way of example, and the full 
scope of the invention is limited only by the claims. 
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APPENDIX A 

1 Reduced Tableau for ACTL 

In this section we define a reduced tableau for the subset of ACTL safety 
formulas. We follow the definition of the reduced tableau for LTL presented 
in [3]. A tableau is a special form of a Kripke structure, consisting of states 
labeled with atomic propositions and transitions between the states. As is 
often the case with tableaux for temporal logics (e.g. [2. 1]). a state of the 
tableau consists of a set of formulas that are supposed to hold along all paths 
leaving the state. Unlike typical tableaux, however, the formulas in the states 
of the reduced tableau are interpreted over a three-valued domain. Thus, a 
state may include a formula or its negation, or none of the two. If the latter 
occurs, it reflects a "don't care ,; situation, i.e.. the formula may be either 
true or false in the state. 

Similarly to [2]. we wish the reduced tableau for a formula -0 to satisfy 
4>. Furthermore, it should be greater by the simulation preorder [4] than 
any Kripke structure that satisfies ip. In order to achieve these goals we 
will adapt both definitions of |= and simulation preorder to be applicable 
to three-valued structures. Below we present the formal definitions of the 
tableau and of the adapted relations. 

Let AP$ be the set of atomic propositions in an ACTL formula 'ip . 

Definition 1.1 (sub-formulas) The set of sub-formulas ofip is defined 
recursively as follows : 

1. sub{p) = {p} and sub(^p) = {-.p}, if p e AP^ 

2. subfa) = {cp} U sub{g r ) U sub(g 2 ), if <p = gi A g 2 or ip = 9l V g 2 - 

3. sub{AX 9l ) = {AX 9l } U sub( 9l ) 
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4- sub{A[g x Wg 2 ]) = {A[g x Wg 2 } : AXA[g x Wg 2 }} U sub{ gi ) U sub(g 2 ) 

We will distinguish between a-formulas and /^-formulas, which are con- 
junctions and disjunctions, respectively. In the reduced tableau ; if a state 
satisfies a conjunction, then it also satisfies its two conjuncts. On the other 
hand, if it satisfies a a disjunction, it will usually satisfy only one of the 
disjunct, leaving the other as "don't care". 

Definition 1.2 (a- formula) 

A formula g 6 sub(t/j) is an a-formula if g = g x A g 2 . 

Definition 1.3 (/3-formula) 

A formula g 6 sub(ip) is a {3-formula if : 

1- 9 = 9i V g 2 . in which case k x (g) = {g x } and k 2 (g) = {g 2 }. 

2. g = A\g 1 Wg 2 ] f in which cast k x {g) = {g 2 } and k 2 (g) = {g 1: AXA[g x Wg 2 ]}. 

Definition 1.4 (A particle) A set of formulas P is a particle if: 

1. PC sub{xi>) 

2. P eP -+ g P 

3. -^peP-+p#p 

4- P dots not contain any ot-formula nor any (3-formula. 

Definition 1.5 (Implied successor) A formula g is an implied successor 
of a particle P if AXg E P. We denote by imps(P) the set of implied 
successors of P. i.e., imps(P) = {g\AXg G P} 

Note that if P does not include any formula of the form AXg then 
imps(P) = {} . The particle {} means that the state reached has no com- 
mitments to satisfy any of the formulas. Thus, it may be the start of any 
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possible paths. Furthermore, it may simulate any state. We later see that 
the only son of particle {} is the particle {} itself. 

function Remove Jtedandant{S : Set of Particles) : returns Set of Particles 
return the largest set such that {P (= S\VPi 6 S. Pi <£ P} 



recursive function cover p (B : Set of formulas) returns : Set of particles 
if B is not locally consistent then return {} - no particles contain B 
if there exists some a-formula r = ri A r 2 in B 

then return cover p (B — {r} U {ri : r 2 }) 
if there exists some /?-formula r such that r e B then return 

cover p (B - {r} U h (r)) U cover p (B - {r} U Jba(r)) 
return {B} - 5 is a particle 

end function 

Definition 1.6 (Successors p (P)) 

Successorsp(P) = Remove Jtedandant{cover p {imps{P))) . 

We now describe an iterative algorithm PART.TAB that produces the tableau 
structure. 
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Algorithm : PART_TAB 

Sro := Remave-Redandant(cover p ({ipy)) 

S r '.= StO 

R T :=0 

Mark all particles in S T as unprocessed 
For each unprocessed particle P in S T do 

S := successor s p (P): 

For each Q g S 

Add (P,Q) to /? r ; 

Define L(P) = Pn {p|p G ,4^} n {-ip|p G AP^} 
If Q<£S T : 

Add Q to S T : 

Mark Q as unprocessed; 
end for 

Mark P as processed; 
end for 
end for 

Note that a state is labeled by propositions from AP and by their nega- 
tions. Since a state is a particle, it will never contain both a proposition and 
its negation, but it may contain none of them. 

We now prune the structure we received, such that any particle has at 
least one successor. 



IS999-035 



30 



35519S3 



Algorithm : PRUNE_TAB 

Mark all particles in S T as unprocessed 
Repeat until all particles in S T are processed 
For each unprocessed particle P in S T do 
If P has no successors 
Remove P from S T 
Remove any edge going to P from R T 
Mark the remaining particles in S T as unprocessed 
Skip 

Mark P as processed: 
end for 
end Repeat 

After activating PART.TAB and PRUNEJTAB we have produced the 
tableau t(0) =< S T , S t0: R t: L t > for 0. 

Note that the tableau we construct is total. Any particle that has no 
successors is removed. 
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APPENDIX B 

The following is a program listing in VHDL 
describing a tableau that corresponds generally to the 
properties of arbiter 40 listed in Table II. As noted 
5 hereinabove, however, the listing below is based on a 
simplified model without the non-observable variable 
"robin." In place of the output names ACK0__SPEC and 
ACK1__SPEC shown in Fig. 2, the names ack0_new and 
ackl_new are used in the listing; and reqO and reql in 
10 the listing correspond respectively to REQ0_SPEC and 
51 REQ1 SPEC. 



library ieee; 

use ieee. std_logic_1164 . all; 
m entity full_spec is 





port { 






rb clock 


: in std ulogic; 




ackO new 


: in std ulogic; 


20 


ackl_new 


: in std_ulogic; 




reqO 


: in std ulogic; 




reql 


: in std_ulogic; 




reset 


: in std ulogic; 




fails 


: out 



2 5 std_ulogic_vector ( 0 to 5) 

) ; 



end full_spec; 



30 architecture rb of full_spec is 

signal not_rb_reset : std__ulogic ; 
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signal rb_reset : std_ulogic ; 
type rb_enum__type is ( iu_enum_s 1 ash_er r , 
iu enum slash z) ; 



begin 



p: 

process 
begin 

10 wait until rb_clock 1 event and rb_clock= T 1 1 ; 

not_rb_reset <= 1 1 1 ; 
end process; 

rb_reset <= reset or (not not_rb_reset ) ; 

15 

f 1 : 

fails (0) <= not b21 ( ( ( ( (not ack0_new) or (not 

ackl_new) ) ) /= ' 0 ' ) 
or (rb_reset /= T 0 T ) or (rb_clock /= *1')); 
20 f2 : 

block 

constant n: integer := 4; 

signal v: std_ulogic_vector ( 0 to n-1) : = 
"1110"; 

25 signal v_out: std_ulogic__vector (0 to n-1); 

signal vnext : std_ulogic_vector (0 to n-1); 
signal ok: std__ulogic := ! l f ; 
begin 
v_out(0) <= f 0 ! ; 
30 v_out(l) <= v(l) and d 1 ); 

v_out(2) <= v(2) and (((not reqO) and (not 
reql) ) ) ; 
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v_out(3) <= v(3) and ((not ((not ackO_new) and 
(not ackl new) ) ) ) ; 



vnext(O) <= '0'; 

vnext(l) <= v_out ( 1 ) 

vnext(2) <= v_out ( 1 ) 

vnext (3) <= v out (2) 



10 process 
begin 

wait until rb_clock T event and rb_clock= 1 1 1 ; 
if rb_reset = T 1 T then 
v <= "1110"; 
15 ok <= '1'; 

else 

if (not (v(3) and (not ((not ack0_new) 
and (not ackl_new) ) 

) ) ) - ' 0 ' then 
20 ok <= 1 0' ; 

elsif ok = ' 0 1 then 

ok <= ' 1 1 ; 
end if; 

2 5 v <= vnext; 

end if; 
end process; 



30 fails (1) <= not b21 ((ok /= f 0') or (rb_reset 

/= '0') 

or (rb clock /= ' 1' ) ) ; 
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end block; 

f3: 
block 

5 constant n: integer := 4; 

signal v: std_ulogic_vector ( 0 to n-1) := 
"1110"; 

signal v_out : std_ulogic_vector ( 0 to n-1); 
signal vnext : std_ulogic_vector ( 0 to n-1); 
10 signal ok: std_ulogic := 1 l f ; 

begin 
v_out(0) <= '0'; 
v_out ( 1 ) <= v ( 1 ) and ( 1 1 ' ) ; 

v_out(2) <= v(2) and ( (reqO and (not ack0__new) ) ) ; 
15 v_out(3) <= v(3) and ((not ack0_new) ) ; 

vnext (0) <= ! 0 ! ; 

vnext (1) <= v_out(l); 

vnext (2) <= v_out(l); 

20 vnext (3) <= v_out(2); 

p: 

process 
begin 

25 wait until rb_clock 1 event and rb_clock= ? 1 1 ; 

if rb_reset = 'l f then 
v <= "1110"; 
ok <= 

else 

30 if (not (v(3) and (not ack0_new) ) ) = 

f 0' then 
ok <= ' 0 f ; 
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elsif ok = 1 0 1 then 

ok <= ' 1 T ; 
end if; 



v <= vnext; 
end if; 
end process; 



10 fails (2) <= not b21 ((ok /= f 0 T ) or (rb_reset 

/= '0') 

or (rb_clock /= ' 1 1 ) ) ; 
end block; 



15 f4: 

block 

constant n: integer := 4; 

signal v: s td_ulogic_vector ( 0 to n-1) := 
"1110"; 

20 signal v_out: std_ulogic_vector ( 0 to n-1) ; 

signal vnext: std_ulogic_vector ( 0 to n-1); 
signal ok: std_ulogic := ! l f ; 
begin 
v_out(0) <= f 0 f ; 
25 v_out(l) <= v(l) and ( f l'); 

v_out(2) <= v(2) and (((not reqO) and reql)); 
v out (3) <= v(3) and ((not ackl new) ) ; 



vnext ( 0 ) 
vnext ( 1 ) 
vnext (2) 
vnext ( 3 ) 



' 0 r ; 

v_out ( 1 ) ; 
v_out ( 1 ) ; 
v out (2) ; 



<= 
<= 
<= 
<= 
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p: 

process 
begin 

5 wait until rb_clock 1 event and rb_clock= 1 1 ' ; 

if rb_reset = 'l f then 
v <= "1110"; 
ok <= ? 1 1 ; 

else 

™ 10 if (not (v(3) and (not ackl_new) ) ) = 

y3 T 0 f then 

ok <= ! 0' ; 

Hi elsif ok = ' 0 ' then 

S • ok <= ! 1'; 

=F 15 end if; 

Si v <= vnext; 

end if; 
^ end process; 

20 

fails (3) <= not b21 ( (ok /= f 0 T ) or (rb_reset 
/= ' 0 ' ) 

or (rb_clock /= ' 1 ' ) ) ; 
25 end block; 

f 5: 

block 

constant n: integer := 4; 
30 signal v: std_ulogic_vector ( 0 to n-1) := 

"1110"; 

signal v_out : std_ulogic_vector ( 0 to n-1); 
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signal vnext : std_ulogic_vector ( 0 to n-1); 

signal ok: std_ulogic := '1'; 
begin 
v_out ( 0 ) <= T 0 f ; 

v_out ( 1 ) <= v ( 1 ) and ( ' 1 ' ) ; 

v_out(2) <= v(2) and ( (reql and ackO_new) ) ; 

v out (3) <= v(3) and ((not ackl new)); 



vnext ( 0) 
vnext ( 1 ) 
vnext (2) 
vnext (3) 



'0'; 

v_out (1) 
v_out (1) 
v out (2) 



<= 
<= 
<= 
<= 



P: 

process 
begin 

wait until rb_clock 1 event and rb_clock= 1 1 1 ; 
if rb_reset = ! 1 T then 
v <= "1110"; 
ok <= 1 1 1 ; 

else 

if (not (v(3) and (not ackl_new) ) ) 
1 0 f then 

ok <= 1 0 f ; 
elsif ok = '0' then 

ok <= 1 l f ; 
end if; 



v <= vnext; 
end if; 
end process; 



IS999-035 



39 



* 



35519S3 



p 

20 



fails (4) <= not b21 ((ok /= ' 0') or (rb_reset 
/= ' 0' ) 

or (rb_clock /= f l T ) ) ; 
5 end block; 

f 6: 

block 

constant n: integer := 4; 
10 signal v: s td_ulogic_vector { 0 to n-1) := 

"1110"; 

signal v_out : std_ulogic_vector ( 0 to n-1); 

signal vnext: std_ulogic_vector ( 0 to n-1); 

signal ok: std_ulogic := f l'; 
15 begin 

v_out(0) <= f 0 T ; 

v_out(l) <= v(l) and (T); 

v_out(2) <= v(2) and ( (reqO and (not reql))); 
v out(3) <= v{3) and ((not ackO new) ) ; 



25 



vnext ( 0 ) <= 1 0 ' ; 

vnext ( 1 ) <= v_out ( 1 ) ; 

vnext ( 2 ) <= v_out ( 1 ) ; 

vnext (3) <= v out(2); 



p: 

process 
begin 

wait until rb__clock T event and rb_clock= f l l 
30 if rb_reset = f l' then 

v <= "1110"; 
ok <= 1 1 T ; 
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else 

if (not (v(3) and (not ackO_new) ) ) 
'0' then 

ok <= ' 0' ; 
elsif ok = '0' then 

ok <= ' 1' ; 
end if; 



v <= vnext; 
10 end if; 

end process; 



fails (5) <= not b21 ( (ok /= '0') or (rb_reset 
15 /= '0') 

or (rb_clock /= » 1 ' ) ) ; 
end block; 

end rb; 
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